ClawHub

Automd Gromacs

Security checks across malware telemetry and agentic risk

Overview

This GROMACS automation skill appears purpose-aligned, but it can run scripts that install software, download remote files, mutate the local environment, and follow broad auto-repair guidance without clear consent gates.

Review before installing. Use this only in an isolated conda environment or container, inspect scripts before running them, and do not allow auto-install, wget downloads, sudo installs, or online molecular-service uploads unless you explicitly approve them and trust the data disclosure. Prefer manual dependency setup with pinned versions and checksums.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (41)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises executable capabilities such as shell use, file reads, and file writes, but does not declare permissions or provide an explicit trust boundary. That creates a real security issue because callers may authorize or invoke the skill without understanding that it can modify local files and execute external commands, increasing the risk of unintended system changes or command abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented description understates the operational scope of the skill relative to the behaviors reported by analysis, including dependency installation, external downloads, invocation of third-party scientific software, and broader workflow routing. This is dangerous because users may trust the skill for bounded GROMACS automation while it can reach into package management, network retrieval, and additional tools, expanding the attack surface and enabling unanticipated code execution paths.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document explicitly recommends that workflow scripts auto-install missing tools via conda or pip. That expands the skill from domain-specific MD automation into host environment modification, which can unexpectedly change packages, trigger network access, and execute installer hooks without clear user approval. In an agent context, this is risky because the model may follow the design and mutate the runtime automatically.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The proposed auto_install_dependencies routine would install packages into the runtime environment whenever tools are missing. This can alter reproducibility, violate least privilege, and create an unintended supply-chain exposure because package managers fetch and execute third-party content at run time. For an AI-operated skill, the danger is amplified because the agent may do this non-interactively.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The ligand parameterization flow includes logic to install ACPYPE automatically if it is unavailable. That means a chemistry-analysis script can modify the host environment and pull new software from external repositories as part of normal execution, which is outside the core purpose of processing molecular inputs. This creates avoidable risk from package supply-chain issues and unexpected system changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide instructs creation of a persistent per-user troubleshooting log in the home directory and analysis of that log, even though this is not necessary for core MD automation. Persistent activity logging can capture user behavior over time, create privacy risk, and leave residual data without consent, minimization, or retention controls.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script silently falls back from aMD to well-tempered metadynamics while presenting it as an aMD-like substitute. These methods have different biasing mechanics, parameterization, and analysis assumptions, so a user may run and interpret the wrong simulation protocol without realizing it, leading to invalid scientific results and unsafe automation decisions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The generated report describes all runs as accelerated MD and includes aMD-specific theory and reweighting formulas even when the code may have executed metadynamics instead. In a scientific workflow, this can corrupt downstream analysis, publication claims, and reproducibility because users may apply mathematically incorrect reweighting and misstate the method actually used.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs automatic downloads over the network and installs packages/tools as part of its 'auto-fix' flow, including fetching MARTINI force-field archives via plain HTTP and installing Python packages with pip3. This expands the trust boundary from local MD automation to arbitrary external code/content retrieval, creating supply-chain and integrity risks if remote resources are tampered with or if execution occurs in a sensitive environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script automatically installs missing tools at runtime using conda or pip, which expands its behavior from running a molecular dynamics workflow to modifying the host environment. This is dangerous because executing package-management operations without explicit approval can introduce unreviewed code, change reproducibility, and create supply-chain risk if package sources or names are compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
These lines invoke conda or pip to install packages directly from the script, giving the skill package-management capability beyond its stated computational purpose. In a scientific automation context this increases attack surface because dependency resolution may fetch and execute remote package code, and users may not expect the skill to alter their environment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script contains active package-management behavior that will install missing tools via conda or pip during execution, even though its primary purpose is to run a molecular dynamics workflow. This expands the script's privileges and trust boundary from local simulation orchestration into software acquisition and installation, creating supply-chain and environment-integrity risks if package sources, package names, or execution context are compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Using conda/pip from within the workflow gives the script the ability to modify the host environment and fetch external code at execution time. In a skill/agent context, this is especially risky because a routine data-processing task gains package installation capability that can introduce malicious packages, unexpected dependency resolution, or silent modification of shared environments.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script includes a helper that automatically installs missing tools with conda or pip, expanding its behavior from running a membrane-simulation workflow to modifying the host environment. In an agent or automation context, this is dangerous because it performs network/package-manager side effects without explicit approval, introducing supply-chain and environment-integrity risk if package names are spoofed, packages are compromised, or installation alters other workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The index instructs an AI to route based broadly on user intent and then execute the matched script, but it does not define safety gates, disallowed request classes, or confirmation requirements before invoking high-impact workflows. In a skill that includes auto-install, auto-fix, and many simulation modes, this increases the risk of unsafe or unintended script execution from ambiguous prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest advertises automatic execution, dependency installation, and automatic remediation but does not require user-visible consent before changing the system or installing software. That creates a clear risk of unintended package installation, environment drift, and execution of helper tools with side effects on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section explicitly promotes automatic installation commands such as conda/pip and suggests fallback use of external web services for ligand processing, but it does not require user consent, environment isolation, provenance checks, or privacy review before doing so. In an AI-agent skill context, that is dangerous because an autonomous agent may modify the host system or transmit sensitive molecular inputs to third-party services without operator awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section goes beyond documentation and normalizes autonomous execution of shell-based remediation and parameterization flows, including installing tools and directing use of online services, while framing them as desirable AI behavior. In a skill intended for agent consumption, this increases the chance of unreviewed system changes, execution of complex external tooling, and data disclosure to third parties, especially because the examples present these actions as default recovery logic.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown recommends automatic package installation but does not pair that behavior with a warning that the script will modify the environment, access package repositories, and potentially affect reproducibility or security. Silent environment mutation is especially problematic for agent-driven execution, where the human operator may not see or approve the side effects before they occur.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The implementation plan operationalizes auto-installation of dependencies in scripts without surfacing user warnings or approval requirements. In practice, that encourages unattended package installation by an agent, increasing the chance of unauthorized environment changes, dependency conflicts, and execution of unreviewed third-party installer code. The skill context does not require this capability to perform MD automation, so it is unnecessary risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document tells operators to create and analyze a user activity log but provides no privacy notice, retention limit, access control guidance, or warning about collecting potentially sensitive workflow history. In a local agent skill, this can silently normalize user monitoring and long-lived data collection beyond the stated troubleshooting purpose.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document instructs users to copy an executable into /usr/local/bin with sudo but does not warn about the trust boundary or risks of modifying a system-wide executable path. In an installation guide this is not inherently malicious, but it can normalize privileged installation of unverified code and increase the blast radius of mistakes or compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide tells users to download insane.py directly from the internet, make it executable, and move it into /usr/local/bin without any integrity verification or trust warning. If the remote source, mirror, transport, or repository content is compromised, a user could install attacker-controlled code as a globally accessible executable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The full environment setup downloads a remote executable script and installs it into the active conda environment without any authenticity or integrity checks. Even though this is scoped to the environment rather than the whole system, it still introduces a straightforward supply-chain risk because subsequent commands may trust and execute that script.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting guidance tells users to delete `md.cpt` with `rm -f` as part of restarting a simulation, but it does not warn that this permanently removes checkpoint/restart state and may discard recoverable progress. In an automation-oriented skill, users may copy-paste commands without realizing the deletion is destructive, increasing the chance of accidental data loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal